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Chapter I: General Provisions (Articles 1- 
12) 


Article 1 This Law is enacted in accordance with 
the Constitution for the purposes of protecting 
the rights and interests on personal information, 
regulating personal information processing 
activities, and promoting reasonable use of 
personal information. 


Article 2 The personal information of natural 
persons shall be protected by law. No 
organization or individual may infringe upon 
natural persons' rights and interests on their 
personal information. 


Article 3 This Law shall apply to the processing 
of personal information of natural persons 
within the territory of the People's Republic of 
China. 


This Law shall also apply to the processing 
outside the territory of the People's Republic of 
China of the personal information of natural 
persons within the territory of the People's 
Republic of China, under any of the following 
circumstances: 


(1) for the purpose of providing products or 
services for natural persons inside the People's 
Republic of China; 


(2) analyzing or evaluating the behaviors of 
natural persons within the territory of the 
People's Republic of China; and 


(3) any other circumstance as provided by any 
law or administrative regulation. 


Article 4 "Personal information" refers to 
various information related to an identified or 
identifiable natural person recorded 
electronically or by other means, but does not 
include anonymized information. 


Personal information processing includes 
personal information collection, storage, use, 
processing, transmission, provision, disclosure 
and deletion, among others. 


Article 5 Personal information shall be 
processed according to law when it is necessary, 
with justified reason, and in good faith, and the 
processing may not involve misguidance, fraud, 
coercion, and the like. 
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Article 6 Personal information processing shall 
be based on explicit and reasonable 

purposes and directly related to those purposes, 
and shall exert the minimum impacts on the 
rights and interests of individuals. 


The collection of personal information shall be 
limited to the minimum scope required by the 
purpose of processing, and personal information 
may not be collected excessively. 


Article 7 The principles of openness and 
transparency shall be observed in the processing 
of personal information, the rules for processing 
personal information shall be disclosed, and the 
purposes, means, and scope of processing shall 
be explicitly indicated. 


Article 8 The quality of personal information 
shall be guaranteed in personal information 
processing, to avoid adverse impacts on the 
rights and interests of individuals caused by 
inaccurate and incomplete personal 
information. 


Article 9 Personal information processors shall 
be responsible for their personal information 
processing activities and take necessary 
measures to ensure the security of the personal 
information they process. 


Article 10 No organization or individual shall 
illegally collect, use, process, or transmit the 
personal information of other persons, 

or illegally trade, provide or disclose the 
personal information of other persons, 

or engage in personal information processing 
activities that endanger national security or 
harm public interests. 


Article 11 The state shall establish and improve 
the personal information protection system to 
prevent and punish infringements upon the 
rights and interests on personal information, 
strengthen publicity and education on personal 
information protection, and promote a 
favorable environment for the government, 
enterprises, relevant industry organizations, and 
the public to jointly participate in personal 
information protection. 


Article 12 The state will actively engage in the 
development of international rules on personal 
information protection, promote the 
international exchanges and cooperation in 
personal information protection, and encourage 
the mutual recognition of personal information 
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protection rules and standards, among others, 
with other countries, regions, and international 
organizations. 


Chapter II: Personal Information 
Processing Rules (Articles 13-37) 


Section 1: General Rules (Articles 13-27) 


Article 13 A personal information processor can 
process personal information of an 

individual only if one of the following 
circumstances exists: 


(1) the individual's consent has been obtained; 


(2) the processing is necessary for the 
conclusion or performance of a contract in 
which the individual is a party, or necessary for 
human resources management in accordance 
with the labor rules and regulations established 
in accordance with the law and the collective 
contracts signed in accordance with the law; 


(3) the processing is necessary for the 
performance of statutory duties or obligations; 


(4) the processing is necessary for the response 
to public health emergencies, or for the 
protection of life, health, and property safety of 
natural persons in emergencies; 


(5) the personal information is 

reasonably processed for news reporting, media 
supervision, and other activities conducted in 
the public interest; 


(6) the personal information disclosed by the 
individual himself or other legally disclosed 
personal information of the individual is 
reasonably processed in accordance with this 
Law; and 


(7) other circumstances as provided by laws or 
administrative regulations. 


Individual consent shall be obtained for 
processing personal information if any other 
relevant provisions of this Law so provide, 
except under the circumstances specified in 
Subparagraphs (2) to (7) of the preceding 
paragraph. 


Article 14 Where personal information 
processing is based on individual consent, the 
individual consent shall be voluntary, explicit, 
and fully informed. Where any other law or 
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administrative regulation provides that 

an individual's separate consent or written 
consent must be obtained for processing 
personal information, such provisions shall 


apply. 


In the case of any change of the purposes or 
means of personal information processing, or 
the category of processed personal 
information, a new consent shall be obtained 
from the individual. 


Article 15 Where personal information 
processing is based on individual consent, an 
individual shall have the right to withdraw his 
consent. Personal information processors shall 
provide convenient ways for individuals to 
withdraw their consents. 


The withdrawal of consent shall not affect the 
validity of the processing activities conducted 
based on consent before it is withdrawn. 


Article 16 A personal information processor shall 
not refuse to provide products or services for an 
individual on the grounds that the 

individual withholds his consent for the 
processing of his personal information or has 
withdrawn his consent for the processing of 
personal information, except where the 
processing of personal information is necessary 
for the provision of products or services. 


Article 17 A personal information processor 
shall, before processing personal information, 
truthfully, accurately and fully inform an 
individual of the following matters in a easy-to- 
notice manner and in clear and easy-to- 
understand language: 


(1) the name and contact information of the 
personal information processor; 


(2) the purposes and means of personal 
information processing, and the categories and 
storage periods of the personal information to 
be processed; 


(3) the methods and procedures for the 
individual to exercise his rights as provided in 
this Law; and 


(4) other matters that the individual should be 
notified of as provided by laws and 
administrative regulations. 
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Where any matter as set forth in the preceding 
paragraph changes, the individual shall be 
informed of the change. 


Where the personal information processor 
informs an individual of the matters specified in 
the first paragraph by formulating personal 
information processing rules, the processing 
rules shall be made public and be easy to consult 
and save. 


Article 18 When processing personal 
information, personal information processors 
are permitted not to inform individuals of the 
matters specified in the first paragraph of the 
preceding article where laws or administrative 
regulations require confidentiality or provide no 
requirement for such notification. 


Where it is impossible to notify individuals in a 
timely manner in a bid to protect natural 
persons ' life, health and property safety in case 
of emergency, the personal information 
processors shall notify them without delay after 
the emergency is removed. 


Article 19 Except as otherwise provided by laws 
and administrative regulations, the storage 
period of personal information shall be the 
minimum time necessary to achieve the purpose 
of processing. 


Article 20 Where two or more personal 
information processors jointly determine the 
purposes and means of processing certain 
personal information, they shall reach an 
agreement on their respective rights and 
obligations in processing the personal 
information. However, this agreement shall not 
affect an individual's request to any one of them 
to exercise his rights as provided in this Law. 


Where, in jointly processing certain personal 
information, a processor infringes the rights and 
interests on personal information and 

causes damages, other personal 

information processors shall bear joint and 
several liability in accordance with law. 


Article 21 A personal information processor 
entrusting the processing of certain personal 
information to a party shall reach an agreement 
with the entrusted party on the purposes, 
period and means of processing, the categories 
of personal information to be processed and the 
protection measures, as well as the rights and 
obligations of both parties, among others, 
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and shall supervise the personal information 
processing activities of the entrusted party. 


The entrusted party shall process personal 
information in accordance with the agreement 
and may not process personal information 
beyond the purposes, means and other 
conditions as agreed upon. Where the 
entrustment contract has not taken effect, or 
is invalid, or is revoked or terminated, the 
entrusted party shall return the personal 
information in question to the personal 
information processor or delete it and shall not 
retain the personal information. 


Without the consent of the personal information 
processor, the entrusted party may not sub- 
contract the processing of personal information 
to any other party. 


Article 22 Where a personal information 
processor needs to transfer personal 
information due to a merger, division, 
dissolution, or bankruptcy or for other reasons, 
the processor shall inform the individuals of the 
name and contact information of the 

recipient of the transferred personal 
information. The recipient shall continue to 
perform the obligations of the said personal 
information processor. Any change of the 
original purposes or means of processing by the 
recipient shall be subject to individual consent in 
accordance with this Law. 


Article 23 To provide personal information for 
any other processor, a personal information 
processor shall inform the individuals of the 
recipient's name and contact information, the 
purposes and means of processing and the 
categories of personal information to be 
processed, and shall obtain the individuals’ 
separate consent. The recipient shall process 
personal information within the scope of the 
purposes, means, and categories of personal 
information mentioned above. Any change of 
the purposes or means of processing by the 
recipient shall be subject to individual consent in 
accordance with this Law. 


Article 24 Personal information processors using 
personal information for automated decision 
making shall ensure the transparency of the 
decision making and the fairness and 
impartiality of the results, and may not apply 
unreasonable differential treatment to 
individuals in terms of transaction prices and 
other transaction conditions. 
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Information push and commercial marketing to 
individuals based on automated decision making 
shall be simultaneously accompanied by options 
not specific to their personal characteristics or 
with convenient means for individuals to refuse. 


Where a decision that may have a significant 
impact on an individual's rights and interests is 
made through automated decision making, the 
individual shall have the right to request 
clarification from the personal information 
processor and the right to refuse the processor 
for making the decision only through automated 
decision making. 


Article 25 Personal information processors shall 
not disclose the personal information they 
process, except where separate consents has 
been obtained from the individuals. 


Article 26 Image collection and personal 
identification equipment in public places shall be 
installed only when it is necessary for the 
purpose of maintaining public security, and shall 
be installed in compliance with the relevant 
provisions of the state and with prominent 
reminders. The personal images and 
identification information collected can only be 
used for the purpose of maintaining public 
security and, unless the individuals’ separate 
consents are obtained, shall not be used for any 
other purpose. 


Article 27 A personal information processor 
may reasonably process the personal 
information disclosed by an individual himself or 
other legally disclosed personal 

information, except where the individual 
expressly refuses. Where the processing of 
disclosed personal information may have a 
significant impact on an individual's rights and 
interests, the personal 

information processors shall first obtain the 
individual's consent in accordance with the 
provisions of this Law. 


Section 2: Rules on Processing Sensitive 
Personal Information (Articles 28-32) 


Article 28 "Sensitive personal information" is 
personal information that once leaked or 
illegally used, may easily lead to the 
infringement of the personal dignity of a natural 
person or may endanger his personal safety or 
property, including information such 

as biometrics, religious belief, specific identity, 
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medical health status, financial accounts, and 
the person's whereabouts, as well 

as the personal information of a minor 

under the age of 14 years. 


Personal information processors can process 
sensitive personal information only when 
there is a specific purpose and when it is of 
necessity, under the circumstance where strict 
protective measures are taken. 


Article 29 For the processing of sensitive 
personal information, individual's separate 
consent shall be obtained. Where other laws or 
administrative regulations provide that written 
consent shall be obtained for the processing of 
sensitive personal information, such provisions 
shall prevail. 


Article 30 In addition to the matters specified 
in the first paragraph of Article 17 of this Law, 
a processor processing sensitive personal 
information shall notify an individual of the 
necessity of processing his sensitive personal 
information and the impact it has on his rights 
and interests, except where such notification is 
not required in accordance with the provisions 
of this Law. 


Article 31 To process the personal information 
of minors under the age of 14, personal 
information processors shall obtain the consent 
of the parents or other guardians of the minors. 


Personal information processors processing the 
personal information of minors under the age of 
14 shall develop special rules for processing such 
personal information. 


Article 32 Where other laws or administrative 
regulations provide that relevant administrative 
permit shall be obtained for the processing 

of sensitive personal information or impose 
other restrictions, such provisions shall prevail. 


Section 3: Special Provisions on the 
Processing of Personal Information by State 
Organs (Articles 33-37) 


Article 33 This Law shall apply to the processing 
of personal information by state organs; where 
there are special provisions in this Section, the 
provisions of this Section shall prevail. 


Article 34 When state organs process personal 
information in order to perform their statutory 
duties, they shall act in accordance with the 
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authority and procedures prescribed by laws 
and administrative regulations, and shall not 
exceed the scope and limits necessary to 
perform their statutory duties. 


Article 35 When state organs process personal 
information in order to perform their statutory 
duties, they shall fulfill the obligation of 
notification in accordance with the provisions of 
this Law, except under the circumstances 
specified in the first paragraph of Article 18 of 
this Law or where notification will hinder the 
state organs from performing their statutory 
duties. 


Article 36 Personal information processed by 
state organs shall be stored within the territory 
of the People's Republic of China. A security 
assessment shall be conducted where it is truly 
necessary to provide such information for any 
party outside of the territory of the People's 
Republic of China. In the security assessment the 
relevant departments shall provide support and 
assistance if so requested. 


Article 37 Where organizations authorized by 
laws or regulations with the function of 
administering public affairs process personal 
information in order to fulfill their statutory 
duties, the provisions herein on the processing 
of personal information by state organs shall 


apply. 


Chapter III: Rules on Provision of 
Personal Information Across Border 
(Articles 38-43) 


Article 38 A personal information processor that 
truly needs to provide personal information 

for a party outside the territory of the People's 
Republic of China for business sake or other 
reasons, shall meet one of the following 
requirements: 


(1) passing the security assessment organized by 
the national cyberspace department in 
accordance with Article 40 of this Law; 


(2) obtaining personal information protection 
certification from the relevant specialized 
institution according to the provisions issued by 
the national cyberspace department; 


(3) concluding a contract stipulating both 
parties' rights and obligations with the overseas 
recipient in accordance with the standard 


contract formulated by the national cyberspace 
department; and 


(4) meeting other conditions set forth by laws 
and administrative regulations and by the 
national cyberspace department. 


Where an international treaty or agreement that 
the People's Republic of China has concluded or 
acceded to stipulates conditions for providing 
personal information for a party outside the 
territory of the People's Republic of China, such 
stipulations may be followed. 


The personal information processor shall take 
necessary measures to ensure that the personal 
information processing activities of the overseas 
recipient meet the personal information 
protection standards set forth in this Law. 


Article 39 Where a personal information 
processor provides personal information for any 
party outside the territory of the People's 
Republic of China, the processor shall inform the 
individuals of the overseas recipient's name and 
contact information, the purposes and means of 
processing, the categories of personal 
information to be processed, as well as the 
methods and procedures for the individuals to 
exercise their rights as provided in this Law over 
the overseas recipient, etc., and shall obtain 
individual's separate consent. 


Article 40 Critical information infrastructure 
Operators and the personal information 
processors that process personal information up 
to the amount prescribed by the national 
cyberspace department shall store domestically 
the personal information collected and 
generated within the territory of the People's 
Republic of China. Where it is truly necessary to 
provide the information for a party outside the 
territory of the People's Republic of China, the 
matter shall be subjected to security assessment 
organized by the national cyberspace 
department. Where laws, administrative 
regulations, or the provisions issued by the 
national cyberspace department provide that 
security assessment is not necessary, such 
provisions shall prevail. 


Article 41 The competent authorities of the 
People's Republic of China shall handle foreign 
judicial or law enforcement authorities’ 

requests for personal information stored within 
China in accordance with relevant laws and the 
international treaties and agreements concluded 
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or acceded to by the People's Republic of China, 
or under the principle of equality and 
reciprocity. Without the approval of the 
competent authorities of the People's Republic 
of China, no organization or individual shall 
provide data stored in the territory of the 
People's Republic of China for any foreign 
judicial or law enforcement authority. 


Article 42 Where overseas organizations or 
individuals engage in personal information 
processing activities, which infringe upon the 
rights and interests of citizens of the People's 
Republic of China on personal information or 
endanger the national security or public 
interests of the People's Republic of China, the 
national cyberspace department may include 
them in a list of restricted or 

prohibited recipients of personal information, 
publicize the list, and take measures such as 
restricting or prohibiting the provision of 
personal information for such organizations and 
individuals. 


Article 43 Where any country or region adopts 
any prohibitive, restrictive or other similar 
discriminatory measures against the People's 
Republic of China in terms of personal 
information protection, the People's Republic of 
China may take countermeasures against the 
aforesaid country or region based on actual 
situations. 


Chapter IV: Individuals’ Rights in 
Personal Information Processing 
Activities (Articles 44-50) 


Article 44 Individuals shall have the right to be 
informed, the right to make decisions on the 
processing of their personal information, and 
the right to restrict or refuse the processing of 
their personal information by others, except as 
otherwise provided by laws or administrative 
regulations. 


Article 45 Individuals shall have the right to 
consult and duplicate their personal information 
from personal information processors, except 
under circumstances as set out in the first 
paragraph of Article 18 and Article 35 of this 
Law. 


Where an individual requests the consultation or 
duplication of his personal information, the 
requested personal information processor shall 
provide such information in a timely manner. 
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Where an individual requests the transfer of his 
personal information to a designated personal 
information processor, which meets 

the requirements of national cyberspace 
department for transferring personal 
information , the requested personal 
information processor shall provide means for 
the transfer. 


Article 46 Where an individual discovers that his 
personal information is incorrect or incomplete, 
he shall have the right to request the personal 
information processors to rectify or supplement 
relevant information. 


Where an individual requests the rectification or 
supplementation of his personal information, 
the personal information processors shall verify 
the information in question, and make 
rectification or supplementation in a timely 
manner. 


Article 47 In any of the following circumstances, 
a personal information processor shall take the 
initiative to erase personal information, and 

an individual has the right to request the 
deletion of his personal information if the 
personal information processor fails to erase the 
information: 


(1) the purposes of processing have been 
achieved or cannot be achieved, or such 
information is no longer necessary for achieving 
the purposes of processing; 


(2) the personal information processor ceases to 
provide products or services, or the storage 
period has expired; 


(3) the individual withdraws his consent; 


(4) the personal information 

processor processes personal information in 
violation of laws, administrative regulations, or 
agreements; or 


(5) other circumstances as provided by laws and 
administrative regulations. 


Where the storage period provided by any law 
or administrative regulation has not expired, or 
it is difficult to erase personal information 
technically, the personal information processor 
shall cease the processing of personal 
information other than storing and taking 
necessary security protection measures for such 
information. 


PDF version created by NoTies.Consulting riealeksandra.com 


Article 48 An individuals has the right to 
request a personal information processor to 
interpret the personal information processing 
rules developed by the latter. 


Article 49 The close relatives of a deceased 
natural person may, for their own legal and 
legitimate interests, exercise the rights to 
handle the personal information of the 
deceased, such as consultation, duplication, 
rectification, and deletion, as provided in this 
Chapter, except as otherwise arranged by the 
deceased before death. 


Article 50 A personal information processor shall 
establish the mechanism for receiving and 
handling individuals’ requests for exercising 
their rights. Where an individual's request is 
rejected, the reasons therefor shall be given. 


Where an individual's request to exercise his 
rights is rejected by a personal information 
processor, the individual may file a lawsuit 
with the people's court in accordance with the 
law. 


Chapter V: Obligations of Personal 
Information Processors (Articles 51-59) 


Article 51 Personal information processors shall 
take the following measures to ensure that their 
personal information processing activities are in 
compliance with laws and administrative 
regulations based on the purpose and means of 
processing, the categories of personal 
information to be processed, the impact on 
personal rights and interests, and the potential 
security risks, among others, and shall prevent 
unauthorized access to, as well as breach, 
tampering or loss of any personal information: 


(1) formulating internal management system 
and operational procedures; 


(2) implementing classified management of 
personal information; 


(3) adopting corresponding security technical 
measures such as encryption and de- 
identification; 


(4) reasonably determining the 

operational authority of personal information 
processing, and regularly conducting safety 
education and training for practitioners; 
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(5) formulating contingent plans for personal 
information security emergencies and organizing 
the implementation of such plans; and 


(6) other measures as provided by laws and 
administrative regulations. 


Article 52 A personal information processor that 
processes personal information up to the 
amount prescribed by the national cyberspace 
department shall designate a person in charge 
of personal information protection, who shall 
supervise the personal information processing 
activities of the processor as well 

as the protective measures taken thereby, 
among others. 


The personal information processor shall 
disclose the contact information of the person in 
charge of personal information protection, and 
submit the said person's name, contact 
information, and other information to the 
departments with personal information 
protection duties. 


Article 53 Personal information processors 
outside the territory of the People's Republic of 
China as specified in the second paragraph of 
Article 3 of this Law shall set up specialized 
agencies or designate representatives within the 
territory of the People's Republic of China to be 
responsible for handling personal information 
protection related matters, and shall submit the 
names, contact information, and other 
information of the agencies and representatives 
to the departments with personal information 
protection duties. 


Article 54 Personal information processors shall 
regularly conduct compliance audits of their 
personal information processing activities with 
laws and administrative regulations. 


Article 55 In any of the following circumstances, 
a personal information processor shall assess in 
advance the impact on personal information 
protection and keep a record of the course of 
the processing: 


(1) processing sensitive personal information; 


(2) using personal information to conduct 
automated decision making; 


(3) entrusting personal information 
processing to another party, providing personal 
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information for another party, or 
publicizing personal information; 


(4) providing personal information for any party 
outside the territory of the People's Republic of 
China; or 


(5) conducting other personal information 
processing activities which may have significant 
impacts on individuals. 


Article 56 The assessment of impact on personal 
information protection shall include the 
following contents: 


(1) whether the purposes and means of personal 
information processing, are legitimate, justified 
and necessary; 


(2) the impact on individuals’ rights and 
interests, and security risks; and 


(3) whether the protection measures taken are 
legitimate, effective, and compatible with the 
degree of risks. 


The report of the impact assessment on 
personal information protection and the 
processing record shall be retained for at least 
three years. 


Article 57 Where the breach, tampering, or loss 
of personal information occurs or may occur, 

a personal information processor shall 
immediately take remedial measures and notify 
the departments with personal information 
protection duties and the relevant individuals. 
The notice shall include the following items: 


(1) the categories of personal information that 
has been or may be breached, tampered with or 
lost, and the reasons and possible harm of the 
breach, tampering and loss; 


(2) the remedial measures adopted by the 
personal information processor and the 
measures the individuals may take to mitigate 
the harm; and 


(3) the contact information of the personal 
information processor. 


Where the measures taken by the personal 
information processor can effectively avoid the 
harm caused by breach, tampering, or loss of 
personal information, the personal information 
processor is not required to notify individuals; 


where the departments with personal 
information protection duties consider that 
harm may be caused, they have the authority to 
request the personal information processor to 
notify individuals. 


Article 58 A personal information processor that 
provides important internet platform services 
involving a huge number of users and 
complicated business types shall perform the 
following obligations: 


(1) establishing and improving the personal 
information protection compliance system in 
accordance with the provisions of the state and 
establishing an independent organization mainly 
composed of external members to supervise the 
protection of personal information; 


(2) following the principles of openness, 
fairness, and justice, formulating platform rules, 
and clarifying the norms and obligations that 
product or service providers within the 

platform should meet when processing personal 
information; 


(3) stopping providing services for product or 
service providers within the platforms that 
process personal information in serious violation 
of laws and administrative regulations; and 


(4) regularly publishing social responsibility 
reports on personal information protection for 
public supervision. 


Article 59 The party entrusted with the 
processing of personal information shall, in 
accordance with this Law and relevant laws and 
administrative regulations, take the necessary 
measures to ensure the security of the personal 
information entrusted for processing, and assist 
the entrusting personal information processor in 
fulfilling the obligations provided by this Law. 


Chapter VI: Departments with Personal 
Information Protection Duties (Articles 
60-65) 


Article 60 The national cyberspace 

department shall be responsible for the overall 
planning and coordination of personal 
information protection and related supervision 
and administration. The relevant departments of 
the State Council shall, in accordance with this 
Law and other relevant laws and administrative 
regulations, be responsible for personal 
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information protection and related supervision 
and administration within the scope of their 
respective duties. 


The duties of personal information 

protection and related supervision and 
administration of the relevant departments of 
the local people's governments at or above the 
county level shall be determined in accordance 
with the relevant provisions of the state. 


The departments provided in the preceding two 
paragraphs are collectively referred to as the 
departments with personal information 
protection duties. 


Article 61 Departments with personal 
information protection duties shall perform the 
following personal information protection 
duties: 


(1) conducting publicity and education on 
personal information protection, and guiding 
and supervising personal information 
processors in their protection of personal 
information; 


(2) receiving and handling complaints and 
reports related to personal information 
protection; 


(3) organizing evaluations on applications, etc. in 
terms of personal information protection and 
publish the results of such evaluations; 


(4) investigating and handling illegal personal 
information processing activities; and 


(5) other duties as provided by laws and 
administrative regulations. 


Article 62 The national cyberspace 
department shall coordinate relevant 
departments to promote personal information 
protection through the following efforts in 
accordance with this Law: 


(1) formulating specific rules and standards for 
personal information protection; 


(2) developing special personal information 
protection rules and standards for small 
personal information processors, the processing 
of sensitive personal information, and new 
technologies and applications such as face 
recognition and artificial intelligence; 


(3) supporting the research and 

development, and promoting the application of 
secure and convenient electronic identity 
authentication technology, and advancing 

the public services for network identity 
authentication; 


(4) promoting the development of a personal 
information protection service system with the 
participation of various social sectors, and 
supporting relevant institutions in providing 
personal information protection assessment and 
certification services; and 


(5) improving the complaint and reporting 
mechanism related to personal information 
protection . 


Article 63 A department with personal 
information protection duties when fulfilling 
related duties may take the following measures: 


(1) questioning relevant parties, and 
investigating circumstances related to personal 
information processing activities; 


(2) consulting and duplicating the parties’ 
contracts, records, account books and other 
relevant materials related to personal 
information processing activities; 


(3) conducting on-site inspections, 
and investigating suspected illegal personal 
information processing activities; and 


(4) inspecting equipment and articles related to 
personal information processing activities; and 
sealing up or seizing equipment and articles 
related to illegal personal information 
processing activities as proved by evidence after 
submitting written reports to and obtaining 
approval from the principal person in charge of 
the departments with personal information 
protection duties. 


When departments with personal information 
protection duties carry out their duties in 
accordance with the law, the parties concerned 
shall cooperate and provide assistance, and shall 
not reject or obstruct them. 


Article 64 Where a department with personal 
information protection duties finds, 

when performing its duties, relatively high risks 
in personal information processing activities or 
the occurrence of personal information security 
incidents, the department may hold an 
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interview with the legal representative or the 
principal person in charge of the personal 
information processor according to the provided 
authority and procedures, or request the 
processor to entrust a professional institution to 
conduct compliance audits of the personal 
information processing activities. The personal 
information processor shall adopt 

measures to make rectification and eliminate 
potential risks as required. 


Where a department with personal information 
protection duties, in performing its duties, 

finds an illegal personal 

information processing activity that may involve 
a crime, the department shall transfer the 

case to the public security organ in a timely 
manner in accordance with the law. 


Article 65 Any organization or individual has the 
right to complain and report to a department 
with personal information protection duties 
about illegal personal information processing. 
The department that receives such a complaint 
or report shall handle it in a timely manner in 
accordance with the law, and notify the 
complainant or informant of the results. 


Departments with personal information 
protection duties shall publish their contact 
information for receiving complaints and 
reports. 


Chapter VII: Legal Liability (Articles 66- 
71) 


Article 66 Where personal information is 
processed in violation of the provisions of this 
Law or without fulfilling the personal 
information protection obligations provided in 
this Law, the departments with personal 
information protection duties shall order the 
violator to make corrections, give a warning, 
confiscate the illegal gains, and order the 
suspension or termination of provision of 
services by the applications that illegally process 
personal information; where the violator refuses 
to make corrections, a fine of not more than 
RMB one million yuan shall be imposed 
thereupon; and the directly liable persons in 
charge and other directly liable persons shall 
each be fined not less than RMB 10,000 yuan 
nor more than RMB 100,000 yuan. 


In case of an illegal act as prescribed in the 
preceding paragraph and the circumstances are 


serious, the departments with personal 
information protection duties at or above the 
provincial level shall order the violator to make 
corrections, confiscate the illegal gains, impose a 
fine of not more than RMB 50 million yuan or 
not more than five percent of the previous 
year's turnover; may also order the suspension 
of relevant businesses, or order the suspension 
of all the business operations for an overhaul, 
and notify the competent authorities to revoke 
relevant business permits or license; shall 
impose a fine of not less than RMB 100,000 yuan 
but not more than RMB 1 million yuan upon 
each of the directly liable persons in charge and 
other directly liable persons, and may decide to 
prohibit the abovementioned persons from 
serving as directors, supervisors, senior 
managers, or the persons in charge of 

relevant companies within a specific period of 
time. 


Article 67 Any violation of the provisions of this 
Law shall be entered in the relevant credit 
record and be published in accordance with the 
provisions of the relevant laws and 
administrative regulations. 


Article 68 Where any state organ fails to fulfill 
the personal information protection obligations 
as provided in this Law, the organ at the higher 
level or the departments with personal 
information protection duties shall order it to 
make corrections, and discipline the directly 
liable person in charge and other directly liable 
persons in accordance with the law. 


Where a staff member of a department with 
personal information protection duties neglects 
duties, abuses power, or practices favoritism, 
which does not constitute a crime, the staff 
member shall be subject to sanction in 
accordance with the law. 


Article 69 Where a personal information 
processor infringes the rights or interests on 
personal information due to any personal 
information processing activity and cannot 
prove that the processor is not at fault, 

the processor shall assume the liability for 
damages and other tort liability. 


The liability for damages prescribed in the 
preceding paragraph shall be determined based 
on the losses of individuals incurred thereby and 
the benefits acquired by the infringing personal 
information processor; and where it is difficult 
to determine the aforementioned losses or the 
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benefits, the amount of damages shall be 
determined based on the actual circumstances. 


Article 70 Where a personal information 
processor processes personal information in 
violation of the provisions of this 

Law and infringes the rights and interests 

of many individuals, the people's procuratorate, 
the consumer organizations specified by 

law, and the organization designated by the 
national cyberspace department may file a 
lawsuit with the people's court in accordance 
with the law. 


Article 71 Any violation of this Law which 
constitutes a violation of public security 


administration shall be subject to public security 


administration penalty in accordance with the 
law. If the violation constitutes a crime, the 
violator shall be held criminally liable in 
accordance with the law. 


Chapter VIII: Supplementary Provisions 
(Articles 72-74) 


Article 72 This Law is not applicable where a 
natural person processes personal information 
for personal or household affairs. 


Where other laws provide personal information 
processing in statistical or archives 


management activities organized and conducted 


by the people's governments at all levels and 
their relevant departments, the provisions of 
such laws shall prevail. 


Article 73 For purposes of this Law, the 
following terms shall have the following 


meanings: 


(1) "A personal information processor" refers to 


an organization or individual that autonomously 
determines the purposes and means of personal 


information processing. 


(2) "automated decision making" refers to the 
activities of automatically analyzing and 
evaluating personal behaviors, hobbies, or 
economic, health, and credit status, among 
others, through computer programs, and 
making decisions. 


(3) "de-identification" refers to processing 
personal information to make it impossible to 
identify specific natural persons in the absence 
of the support of additional information. 


(4) "anonymization" refers to the process of 
processing personal information to make it 
impossible to identify specific natural persons 
and impossible to restore. 


Article 74 This Law shall come into force as 
of November 1st , 2021. 
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